Skip to content

πŸ›‘οΈ Sentinel: [HIGH] Fix local code execution via .git/config#60

Open
tachyon-beep wants to merge 2 commits into
mainfrom
sentinel-fix-git-local-exec-17497702988419548186
Open

πŸ›‘οΈ Sentinel: [HIGH] Fix local code execution via .git/config#60
tachyon-beep wants to merge 2 commits into
mainfrom
sentinel-fix-git-local-exec-17497702988419548186

Conversation

@tachyon-beep

@tachyon-beep tachyon-beep commented Jun 22, 2026

Copy link
Copy Markdown
Collaborator

🚨 Severity: HIGH
πŸ’‘ Vulnerability: Invoking git via subprocess.run against potentially untrusted directories can lead to local code execution via malicious .git/config files (e.g. core.fsmonitor). The codebase was executing git commands like git rev-parse or git diff against arbitrary paths without sanitizing the local git configuration environment.
🎯 Impact: If an attacker can trick the user or system into running the scanner against a directory containing a malicious .git/config file (such as during PR checks or artifact verification on untrusted repos), they could achieve local code execution on the scanning machine.
πŸ”§ Fix: Added _SAFE_GIT_CONFIG = ("-c", "core.fsmonitor=false") and appended it to all subprocess.run(["git", ...]) calls in src/wardline/core/delta.py and src/wardline/core/legis.py. This ensures git commands execute safely regardless of any local repository configuration. Updated tests to account for the new configuration argument. Added a Sentinel journal entry.
βœ… Verification: Verify that uv run pytest tests/unit/core/test_delta.py and make test pass successfully. Check .jules/sentinel.md for the documented learning.

PR created automatically by Jules for task 17497702988419548186 started by @tachyon-beep

@google-labs-jules @tachyon-beep
πŸ›‘οΈ Sentinel: [CRITICAL/HIGH] Fix local code execution vulnerability v…
d6ae81f 
…ia .git/config

Added `_SAFE_GIT_CONFIG = ("-c", "core.fsmonitor=false")` to `subprocess.run(["git", ...])` calls in `wardline.core.delta` and `wardline.core.legis` to prevent local code execution via malicious `.git/config` files when checking unverified/untrusted repositories. Added Sentinel journal entry and updated tests.

Co-authored-by: tachyon-beep <544926+tachyon-beep@users.noreply.github.com>
@google-labs-jules

google-labs-jules Bot commented Jun 22, 2026

Copy link
Copy Markdown

πŸ‘‹ Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a πŸ‘€ emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

@google-labs-jules @tachyon-beep
πŸ›‘οΈ Sentinel: [CRITICAL/HIGH] Fix local code execution vulnerability v…
0e727d2 
…ia .git/config

Fixed line length linting errors in tests introduced by the git configuration security fix.

Co-authored-by: tachyon-beep <544926+tachyon-beep@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tachyon-beep